If you care about the topic of Windows updating/servicing, this is the presentation for you. This presentation is all about current Windows (client & server), but NOT Windows 10. There are some topics discussed for Windows 7 and Windows Server 2008 R2. Windows 10 strategies were covered at Ignite in other presentations.

NOTE: I want to point out that I am NOT a member of the Windows PG, I am a Platforms PFE in Microsoft Premier Services. All of the information in this blog post, is what was discussed in the Ignite presentation. The OFFICIAL bottom line on all these topics will come from the authoritative blog: Windows for IT Pros.

IMPORTANT: None of this information changes any guidance on security updates. Security updates should be applied as soon as possible, within existing change management processes for the enterprise. Microsoft guidance on security updates and other related topics is available at this location:

Windows Updates: Categorization Processes

Since Windows 8, Microsoft has released updates that are NOT categorized as "Critical" or "Important", those updates are released with status "Optional". This included most, if not all of the previous monthly Windows 8x/Server 2012x rollups.

Optional updates are discovered and installed by a relatively small percentage of users around the world that are Windows Update clients.

Keeping the updates as Optional (at first) provides time to discover and correct problems before those updates are promoted to status Recommended or Important.

Microsoft would like to have more customers not only try Optional updates as soon as possible, they would like customers to opt-in to the Customer Experience Improvement Program (CEIP) so their computing devices can send telemetry back to Microsoft, including how those update installations went.

Having IT Pros and enterprise customers sending telemetry on Windows updates, further aids in evaluating overall product quality with patches. The enterprise segments are very important with Windows updates because the enterprise environments have different environments than consumer devices, and thus can help uncover issues that may not be discovered otherwise until deployment.

Hotfix Deployment Guidance: Then and Now

The text in today’s hotfix KB articles says don't apply this hotfix unless you experience this particular problem. Microsoft is changing the guidance on hotfixes and Optional updates to say “don’t wait to experience blue-screens, hangs, or data corruptions issues if there is a fix available that could correct these today”. Proactively evaluate available fixes, whether Optional or hotfixes, as those fixes are in fact tested more stringently than in the past. Problems such as bugchecks, hangs, or data corruption, are not problems you should wait to experience.

Problems such as bugchecks, hangs, or data corruption, are not problems you should wait to experience.

Optional Update Guidance & Other

Microsoft would like to get telemetry from Optional updates from IT Pros which will help update quality and be a determinate for promotion to Recommended or Important.

Once an update appears in WU as "Recommended", that particular fix has been installed/deployed to millions of Windows devices already, so has been vetted to some degree.

Going forward, Windows updates listed as Recommended, Optional, or Important will be published as "one fix, one package".

Microsoft wants all customers to proactively install updates to help overall product quality.

The bottom line: Microsoft would like customers to proactively install available updates, not just security updates. For the enterprise, this would mean introducing Optional updates into the change control process as soon as they are released, for eventual rollout to the production computer systems.

What about those Rollups?

Rollups are a single package with multiple fixes

Up until December 2014, Windows 8x/2012x had "monthly rollups". At least for now, no more monthly rollups.

There may be from time-to-time., cumulative "convenience rollups" (not a technical term). These provide a way to get current with all fixes by applying one package.

Fair points for sure. One thing I would highly recommend is participate in the Insider programs and provide this feedback. I can tell you that the Windows PG is very well aware of this feedback and I’m sure they are doing everything they can to reduce
restarts. Thierry even mentioned that in the Ignite presentation (URL in above blog post). Also there are Microsoft IT Pro events still going on at some cities in North America. See this link for more:

I am not an SCCM PFE, but I believe SCCM usually gets its content from a WSUS feed. So those updates would come in to SCCM with the same categories/statuses as they were published by Microsoft, so no different.

For domain joined computers, Windows Update can be controlled through group policy. GP can be set so that only "Important" and "Critical" updates be automatically applied by either WSUS or SCCM. And even then, I believe someone has to approve those for release
or publication to a collection of computers.

And Seaghán, the updates carry their "ranking", from the time they are published, my Microsoft. Microsoft can change that ranking, which they pointed out in the presentation, through a process called "promotion". But from what I understand, they only do this
for "Optional" and "Recommended", not "Critical" or "Important" (though I have no inside knowledge of how any of that works).

What I advocate for customers I consult with is to keep doing what they do now for Critical security updates, and Important updates. But evaluate the "Optional" and "Recommended" updates sooner rather than later. Those monthly rollups often had very important
fixes to Windows Server, but the information wasn’t easily discoverable…you had to go to the KB, and then read through all the fixes in the rollup, and possible click there to read another KB. By moving to the "one fix one package" model, there will be fewer
fixes for each computer to evaluate through the WU client, and it will hopefully be easier to review the fixes to determine if they are applicable or not.

This article brings up a major source of confusion and headaches regarding Microsoft’s updates.

The article uses all the Window Update terms: Critical, Important, Recommended and Optional!

Most of us in the Enterprise are going by the MSRC Severity(Critical, Important, Moderate, or Low) or WSUS/SCCM categories (Security Update, Critical Update, Update, Update Rollup, Service Pack, Feature Pack, Definition Update, Driver)

If they want more participation, perhaps they should start by standardizing their categories.

If MS wants IT pro’s to help you, you need to help us. We need fewer patches that require a reboot. Especially on the server side. Windows core does nothing to help. Every month I have to reboot core servers due to updates just like my GUI servers. When
windows can install patches without rebooting, then you can abandon patch Tuesday. The strategy to release updates whenever they are available may fly with consumers, but it won’t benefit my business desktops and servers!

@save patch Tuesday – Have you tried "removing" the features from the online image? Because of how the WinSXS works, a role/feature with the "install state" (Get-WindowsFeature) of ‘Available’ will still be patched in the event that you install it at a
later date. If you use the -Remove switch on Uninstall-WindowsFeature CMDLet, the payload is removed from the online image and does not require servicing (The installstate = ‘Removed’). This should lower the overall servicing requirements for a box with only
the minimal amount of roles/features being patched, saving time & reboots.

“…don’t wait to experience blue-screens, hangs, or data corruptions issues if there is a fix available that could correct these today”. – The logic is flawed: you won’t know you need it until your server BSODs and you start Googling it.

So what is Microsoft doing about *efficiently* advertising the availability of hotfixes?

Or any "convenience updates" for 2012 R2? A brand new system deployed using the latest update rollup from December 2014 has 148 pending important updates when it starts up, which adds significant time to our deployment process.

I agree with the last three replies: Microsoft, please give us:
* A clear list of available hotfixes.
* A "Convenience Rollup" for Server 2012 R2, maybe even including the hotfixes.
* A package to get Windows 7 / Server 2008 R2 quickly up-to-date.